RubyGems - brakeman - Versions diffs - 4.9.1 → 4.10.0 - Mend

brakeman 4.9.1 → 4.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGES.md +4 -0
data/lib/brakeman.rb +4 -0
data/lib/brakeman/options.rb +1 -1
data/lib/brakeman/report.rb +7 -0
data/lib/brakeman/report/report_sarif.rb +114 -0
data/lib/brakeman/version.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e74c091d971966f1da9c247651b9d7250c33ddb826d1932c6d0a67e4bdc7642
-  data.tar.gz: bf1253b2db22fc51df78cec8610589e05598e3dbf7228f83753acdf3078920f7
+  metadata.gz: 5b1be4496aae700f3a9f60ba8ce4502b8ad278669336e9b76e35b626a2c0ec67
+  data.tar.gz: 1f550b46ffcf86e0bdb8ecd6c98d531db2a33e76697c2a7877703bcb7c6f8a15
 SHA512:
-  metadata.gz: db82e3110b5b4b64abeb931f08bccd391eb5e061909cf9bd2e57663fcdc4fcf8d6bc77b848ebe16908480a82e1cb7f5558b74557b920a8e793a2dfc9fab4d099
-  data.tar.gz: 75f4ecea562306868dfe682228d109a8991c57beca83a7222085561d74fd8a3d4338fd79d058a18ddeb7f8a4beb33ebca6b6fe732250cb9d44fd75da197d951c
+  metadata.gz: 54daba5852a749294bc3f4d62f511a9e04d8befb1cf44e984390cb37e3ecbde493948bc0fc475140c38da450434a5bf4b644028ac9706d7aaf02b4edecdcd86b
+  data.tar.gz: adcdaa789d59514e1909beb72f79c32debcc2bf4f351ea95ad2292226d3061dccb0bf57ca7822e7fdc641b04ba0d643f838b6073f0fe077e149608dbbee1196d

data/CHANGES.md CHANGED

@@ -1,3 +1,7 @@
+# 4.10.0 - 2020-09-28
+* Add SARIF report format (Steve Winton)
 # 4.9.1 - 2020-09-04
 * Check `chomp`ed strings for SQL injection

data/lib/brakeman.rb CHANGED

@@ -237,6 +237,8 @@ module Brakeman
       [:to_table]
     when :junit, :to_junit
       [:to_junit]
+    when :sarif, :to_sarif
+      [:to_sarif]
     else
       [:to_text]
     end
@@ -266,6 +268,8 @@ module Brakeman
         :to_table
       when /\.junit$/i
         :to_junit
+      when /\.sarif$/i
+        :to_sarif
       else
         :to_text
       end

data/lib/brakeman/options.rb CHANGED

@@ -229,7 +229,7 @@ module Brakeman::Options
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif],
           "Specify output formats. Default is text" do |type|
           type = "s" if type == :text

data/lib/brakeman/report.rb CHANGED

@@ -43,6 +43,8 @@ class Brakeman::Report
     when :to_junit
       require_report 'junit'
       Brakeman::Report::JUnit
+    when :to_sarif
+      return self.to_sarif
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end
@@ -85,6 +87,11 @@ class Brakeman::Report
   alias to_plain to_text
   alias to_s to_text
+  def to_sarif
+    require_report 'sarif'
+    generate Brakeman::Report::SARIF
+  end
   def generate reporter
     reporter.new(@tracker).generate_report
   end

data/lib/brakeman/report/report_sarif.rb ADDED

@@ -0,0 +1,114 @@
+class Brakeman::Report::SARIF < Brakeman::Report::Base
+  def generate_report
+    sarif_log = {
+      :version => '2.1.0',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :runs => runs,
+    }
+    JSON.pretty_generate sarif_log
+  end
+  def runs
+    [
+      {
+        :tool => {
+          :driver => {
+            :name => 'Brakeman',
+            :informationUri => 'https://brakemanscanner.org',
+            :semanticVersion => Brakeman::Version,
+            :rules => rules,
+          },
+        },
+        :results => results,
+      },
+    ]
+  end
+  def rules
+    @rules ||= unique_warnings_by_warning_code.map do |warning|
+      rule_id = render_id warning
+      check_name = warning.check.gsub(/^Brakeman::Check/, '')
+      check_description = render_message check_descriptions[check_name]
+      {
+        :id => rule_id,
+        :name => "#{check_name}/#{warning.warning_type}",
+        :fullDescription => {
+          :text => check_description,
+        },
+        :helpUri => warning.link,
+        :help => {
+          :text => "More info: #{warning.link}.",
+          :markdown => "[More info](#{warning.link}).",
+        },
+        :properties => {
+          :tags => [check_name],
+        },
+      }
+    end
+  end
+  def results
+    @results ||= all_warnings.map do |warning|
+      rule_id = render_id warning
+      result_level = infer_level warning
+      message_text = render_message warning.message.to_s
+      result = {
+        :ruleId => rule_id,
+        :ruleIndex => rules.index { |r| r[:id] == rule_id },
+        :level => result_level,
+        :message => {
+          :text => message_text,
+        },
+        :locations => [
+          :physicalLocation => {
+            :artifactLocation => {
+              :uri => warning.file.relative,
+              :uriBaseId => '%SRCROOT%',
+            },
+            :region => {
+              :startLine => warning.line.is_a?(Integer) ? warning.line : 1,
+            },
+          },
+        ],
+      }
+      result
+    end
+  end
+  # Returns a hash of all check descriptions, keyed by check namne
+  def check_descriptions
+    @check_descriptions ||= Brakeman::Checks.checks.map do |check|
+      [check.name.gsub(/^Check/, ''), check.description]
+    end.to_h
+  end
+  # Returns a de-duplicated set of warnings, used to generate rules
+  def unique_warnings_by_warning_code
+    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+  end
+  def render_id warning
+    # Include alpha prefix to provide 'compiler error' appearance
+    "BRAKE#{'%04d' % warning.warning_code}" # 46 becomes BRAKE0046, for example
+  end
+  def render_message message
+    # Ensure message ends with a period
+    if message.end_with? "."
+      message
+    else
+      "#{message}."
+    end
+  end
+  def infer_level warning
+    # Infer result level from warning confidence
+    @@levels_from_confidence ||= Hash.new('warning').update({
+      0 => 'error',    # 0 represents 'high confidence', which we infer as 'error'
+      1 => 'warning',  # 1 represents 'medium confidence' which we infer as 'warning'
+      2 => 'note',     # 2 represents 'weak, or low, confidence', which we infer as 'note'
+    })
+    @@levels_from_confidence[warning.confidence]
+  end
+end

data/lib/brakeman/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.9.1"
+  Version = "4.10.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 4.9.1
+  version: 4.10.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-04 00:00:00.000000000 Z
+date: 2020-09-28 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -515,6 +515,7 @@ files:
 - lib/brakeman/report/report_json.rb
 - lib/brakeman/report/report_junit.rb
 - lib/brakeman/report/report_markdown.rb
+- lib/brakeman/report/report_sarif.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
 - lib/brakeman/report/report_text.rb